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By pen testing, I mean 




Black/gray/white box testing 
Ethical hacking 
Security auditing 
Vulnerability assessment 
Standards compliance 

Training 

All of the above 
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SHODAN for Penetration Testers 

WHAT IS SHODAN? 
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WhatisSH0DAN?(1) 






SHODAN (http://www.shodanhq.com/) is a 

computer search engine designed by web 
developer John Matherly (http:// 
twitter.com/achillean) 

While SHODAN is a search engine, it is 
much different than content search 
engines like Google, Yahoo or Bing 
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What is SHODAN? (2) 






Typical search engines crawl for data on 
web pages and then index it for searching 

SHODAN interrogates ports and grabs the 
resulting banners, then indexes the 
banners (rather than the web content) for 
searching 
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What is SHODAN? (3) 






Rather than to locate specific content on a 
particular search term, SHODAN is 
designed to help the user find specific 
nodes (desktops, servers, routers, 
switches, etc.) with specific content in their 

banners 

Optimizing search results requires some 
basic knowledge of banners 
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SHODAN for Penetration Testers 

BASIC OPERATIONS 



(g) SHODAN - Computer Search Engine - Mozilla Fiiefox (Build 20100202165920) 



l^^-^^-^rf 



^]S 



File Edit View History Bookmarks Tools Help G0 

) ▼ " Lij ^5 http://www.shodanhq.com/ 

ft SHODAN - Computer Search Engine 



& 



W * Wikjpedia (en) 



*V SHODAN 



Register 



Loqin 



Welcome to SHODAN, the first computer search engin 



» Search the internet for servers, routers and more 



» Find computers running certain software {HTTP, FTP, etc. 



» Filter hosts based on geographic location 



w rM 



» Learn more 




! M ' 






1 




» Popular Searches \ < 



Contact 



cisco-ios last-modified 

Finds Cisco-IOS results that do not require any authentication ;-) 

default password 

Finds results with "default password" in the banner; the named defaults might work! 

FTP anon successful 

this search does not provide as many results as the other ftp search, but it looks like all the results that 
come back are successful anonymous logins 

IIS 4.0 webservers 

Almost all false positives removed bv excluding other versions and httu error codes 

Done 



V 



t 



FOLLOW ME 
ON TWITTER 



For direct inquiries: 
r iiiKrtha 'sui tii.com 



Presentations 



3 3 - 




^ ]► B Fiddler: OFF (auto) © ph 



(g) SHODAN - Computer Search Engine - Mozilla Fiiefox (Build 20100202165920) 



l^^-^^-^rf 



^B 



File Edit View History Bookmarks Tools Help G0 

I ▼ C l£j ^J http://www.shodanhq.com/ 



& 



Shodan Computer Search Engine 



5hodan information 



(J\ SHODAN 

^J Computer Search Engine 



Query 



Country 



All Countries 



Service 



All Services 



a 



Hostname (Full or partial) 



Search 



Done 
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SHODAN - Computer Search Engine 



t£r SHODAN 



Pi "^ - 



4 SHODAN 




SHODAN Search Provider 
Firef ox Add-on 



fi Jtdl Ul I LI IC II II. CI I Itt IUI iC« VCI ij I UUICI 1 dl IU I I HJI KL 



»* \ Google 
■l^IMDb 
WWikJpedia (en) 

£>SHODAN Computer Search 

;■ Twitter Search 
C^SHODAN 



uter 



Add "SHODAN Computer Search Engine" 



Manage Search Engines. 



» Find computers running certain software {HTTP, FTP, etc.) 



» Filter hosts based on geographic location 




» Learn more 




» Popular Searches * i 



cisco-ios last-modified 

Finds Cisco-IOS results that do not require any authentication ;-) 

default password 

Finds results with "default password" in the banner; the named defaults might work! 

FTP anon successful 

this search does not provide as many results as the other ftp search, but it looks like all the results that 
come back are successful anonymous logins 

IIS 4 Q webservers 






Contact 



Present; 



>i 



S ©;v •% Fiddler: OFF (auto) © ph 
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Basic Operations: Search 







Search terms are entered into a text box 
(seen below) 

Quotation marks can narrow a search 

Boolean operators + and - can be used to 
include and exclude query terms (+ is 
implicit default) 



SHODAN 



r 
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Basic Operations: Login 





Create and login using a SHODAN account; 






or 

Login using one of several other options 
(Google, Twitter, Yahoo, AOL, Facebook, 

OpenID 

Login is not required, but country and net 
filters are not available unless you login 

Export requires you to be logged in 



(g) SHOrtAN - Computer Search Engine - Mozilla Fiiefox (Build 20100202165920) 



. J 



^]S 



File Edit View History Bookmarks Tools Help (*S 



) ▼ " L _ Bj £q http://www.shodanhq.com/account/login 

ft SHODAN - Computer Search Engine 



«& SHODAN 



& 



£^T SHODAN 



Register 



Login 



3 3 - 



Login 


or Sign Up 




Sign in using your account with 




Google buiifcfcer 




"Ya^oor. AOL & I 




[jFacebook <J*OpenlD 


Powered by RPX 



OR 



Login using a SHODAN account 



Usernanne 



Password 



Login 



Don't have an account? Sign Up Now 



Forgot your password? Reset your password now 



Privacy Policy | Terms of Service ® SHODAN 



Done 



Efcv Fiddler: OFF (auto) © pn 
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Basic Operations: Filters 





country: filters results by two letter country code 

hostname: filters results by specified text in the 
hostname or domain 

net: filter results by a specific IP range or subnet 
os: search for specific operating systems 
port: narrow the search for specific services 



(g) SHODAN - Computer Search Engine - Mozilla Fiiefox (Build 20100202165920) 



. J 



ff][x) 



File Edit View History Bookmarks Tools Help G0 

I ▼ " Lij ^5 http://www.shodanhq.com/ 



a 



£%)* 5HODAN 



3 SHODAN - Computer Search Engine 



■■^■wv;^^^^ — -ji 


1 fj 


ngine 




^^^^■^^^c^.. 


C 


■p- 



» Search the internet for servers, routers and more 



» Find computers running certain software (HTTP, FTP, etc 



» Filter hosts based on geographic location 



» Learn more 



**.."">-- 

w 



r\ 






J M__ 



f-' 




3 3 - 







Done 



Jwfrftft Bfc> ^ Fiddler: OFF (auto) @ pn 
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Basic Operations: Country Filter 



Filtering by country can be accomplished by clicking on 
the country map (available from the drop down menu) 

Mouse over a country for the number of scanned hosts 
for a particular country 




(g) SHODAN - Computer Search Engine - Mozilla Fiiefox (Build 20100202165920) 




l^^-^^-^rf 



ff][x) 



File Edit View History Bookmarks Tools Help G0 

) ▼ C l£j ^5 http://www.shodanhq.com/?q=apache+country%3ACH 

JS SHODAN - Computer Search Engine 



a 



C^T 5HODAN 



3 3 - 



*V SHODAN 



apache country: CH 




Home 



Search Directory 



MySei 



Analytics; Exports 



+ Save ill Export Data 



217.26.51.2fl 

FreeBSD4.4 

Added on 13.04.2010 



Added on 13.04.2010 



217-1 62-49-29 .del i ent .hi speed .ch 



195.14l.44.2fl 

Linux recent 24 
Added on 13.04.2010 



Find all 'apache' servers in Switzerland 



Results 1 - 10 of about 24404 for apache couiitryCH 



HTTP/1.0 BOO Internal Server- Error 

Date: Tue, 13 Apr 2010 02:52:11 GMT 

Seruer: Apache/2.2.13 (FreeBSD) nod_hcgl/0.7. 1 mod_ssl/2.2. 13 OpenSSL/0.9.8k DAU/2 

Uary : accept- Language, accept -char-set 

Accept -Ranges: bytes 

Connect Lon: close 

Content-Type: tewt/htnl, charset=Lso-S859-l 

Content-Language: en 

HTTP/1.0 302 Found 

Server: Apache/0.6.5 

Pragna: no-cache 

Date: Sun, 01 Jan 2001 00:00:00 GMT 

Expires: Sun, 01 Jan 2001 00:00:00 GMT 

Cache-Control: maH-age=0, nust-reual Ldate 

Connect Lon: close 

Location: /re I Lnk_web.stm 

Content-type: tewt/htnl 

HTTP/1.0 200 OK 

Date: Tue, 13 fipr 2010 00:41:57 GMT 

Seruer: Apache/1.3.27 (Unix) Ch L I LtSof t-ASP/3.6.2 nod_gz Lp/1.3.26. la mooLper L/1.27 FrontPage/5. 0.2. 2510 nod_ssl/2.8. 14 

OpenSSL/0.9.7b PHP-CGI/0. lb 

Last-Modified: Sat, 23 May 2009 02:50:12 GMT 



Done 



g^ 3 Fiddler: OFF (auto) © ph 



(g) SHODAN - Computer Search Engine - Mozilla Fiiefox (Build 20100202165920) 




l^^-^^-^rf 



ff][x) 



File Edit View History Bookmarks Tools Help G0 

) ▼ " Lij http://www.shodanhq.com/?q=apache+2,2,3 

ft SHODAN - Computer Search Engine 



a 



££r SHODAN 



3 3 - 



*V SHODAN 



apach* 




Home 



Search Directory 



My Searches 



sipwuorts 



+ Save ill Export Data 




Find 'apache' servers running version 2.2.3 



» Top countries matching your sear 





Results 1 - 10 ofabout 1307968 for apache 2.2.3 



Top four countries 
matching your query 



95.187.51.20 

Linux recent 24 
Added on 13.04.2010 



66.159.51.29 

Linux recent 24 
Added on 13.04.2010 



209. 145.51.29 

Linux recent 24 
Added on 13.04.2010 



HTTP/1.0 200 OK 

Date: Tue F 13 Apr 2010 02:56:22 GMT 

Seruer: Apache/2.2.3 (CentOS) DAU/2 PHP/5.3.2 nod_ssl/2.2.3 Open SSL/0. 9. Se-f Lps-rheL5 

X-Pouered-By : PHP/5.3.2 

Content-Length: 

Content-Type: tewt/htnL; charset=UTF-8 

HTTP/1.0 200 OK 

Date: Tue F 13 fipr 2010 02:59:32 GMT 

Seruer: Apache/2.2.3 (CentOS) 

X-Pouered-By : PHP/5. 2. 12 

Content-Length: 62 

Connect Lon: close 

Content-Type: tewt/htnl; charset=UTF-8 

HTTP/1.0 200 OK 

Date: Tue F 13 Apr 2010 03:01:23 GMT 

Seruer: Apache/2.2.3 (CentOS) 



Done 



' Qt Fiddler: OFF (auto) © ph 
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Basic Operations: Hostname Filter 



Search results can be filtered using any portion of 
a hostname or domain name 



5HODAN 



apache hostname: .nist.gov 




Find 'apache' servers in the .nist.gov domain 




Find 'iis-5.0' servers in the .edu domain 
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Basic Operations: Net / OS Filters 





The net filter allows you to refine your 
searches by IP/CIDR notation 

The OS filter allows you to refine searches 
by operating system 
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Basic Operations: Port Filter 







SHODAN can filter your search results by 
port 

Current collection is limited to ports 21 
(FTP), 22 (SSH), 23 (Telnet), and 80 

P), while the overwhelming majority 
of collection is HTTP 

More ports/services coming (send 
requests to the developer via Twitter) 
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Basic Operations: Searches 






Popular searches are available on the 
main page 

Logged in users can save searches and 
share them with other users 
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Basic Operations: Export 







SHODAN lets you export up to 1 ,000 
results per credit in XML format 

Credits can be purchased online 
Sample data export file is available 



<shodan> 

<sunnary date="2010-03-16 23:23:19.921034" query ="apache" tota L="62S7987'V> 
<host country="US" 

hostnaMes="lstaduantageba L Lbond. con" 
Lp="198. 171.76.21" 
port="S0" 

updated="16.03.2010"> 
HTTP/" 1.0 200 OK 

Date: Tue, 16 Mar- 2010 07:43:07 GMT 

Seruer: flpache^l.3.41 (UnlK) FrontPage/5. 0.2. 2635 nod_ssL/2.3.31 OpenSSL/O. 9. 7n 
Last-Mod Lf Led: Tue, 17 Nou 2009 17:40:25 GMT 
ETag: "1925Sd5-591-4b02e009" 
Accept -Ranges: bytes 
Content-Length: 1425 
Content-Type: teHt/htnL 
</host> 

■ ■ ■ 

</shodan> 
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SHODAN for Penetration Testers 

PENETRATION TESTING 
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Pen Testing: Ethics (1) 




Is it acceptable under any circumstances to view 
the configuration of a device that requires no 
authentication to view? 

What about viewing the configuration of a device 
using a default username and password? 

What about viewing the configuration of a device 
using a unique username and password? 

Changing the configuration of any device? 
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Pen Testing: Ethics (2) 




Default username 
and password 





Changing 
configurations 





No authentication 



Unique username 
and password 
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Pen Testing Applications 







Using SHODAN for penetration testing 
requires some basic knowledge of 
banners including HTTP status codes 

Banners advertise service and version 

Banners can be spoofed (unlikely?) 
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Pen Testing: HTTP Status Codes 




Status Code 


Description 


200 OK 


Request succeeded 


401 Unauthorized 


Request requires 
authentication 


403 Forbidden 


Request is denied regardless 
of authentication 
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Pen Testing: Assumptions 







"200 OK" banner results will load without 
any authentication (at least not initially) 

"401 Unauthorized" banners with Www- 
authenticate indicate a username and 
password pop-up box (authentication is 
possible but not yet accomplished, as 
distinguished from "403 Forbidden") 

Some banners advertise defaults 
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SHODAN for Penetration Testers 



CASE STUDY: CISCO DEVICES 
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Case Study: Cisco Devices 




Here is a typical "401 Unauthorized" banner 
when using the simple search term "cisco": 



HTTP^l.0 401 Unauthorised 



Date: Jue r 01 Dec 2009 16:09:46 GMT 



Www-authenticate: Basic reaLn="Leuel__15 or ulew_access" 



Con n ect I on : c L ose 
Accept -ran ges : n on e 
Server : c I sec- 1 OS 



Take note of the Www-authenticate line 
which indicates the requirement for a 
username and password 
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Case Study: Cisco Devices 




Now consider an example of a "200 OK" 
banner which does not include the Www- 
authenticate line: 



HTTP/ 1.0 200 OK 



Tr an sf er-en cod L n g : chunked 

Accept -ran ges : none 

EwpLres: Tue F 0S Jun 1993 06:55:45 GMT 

Server : c L sco- 1 OS 



Last-nod Lf Led: Tue F OS Jun 1993 06:55:45 GMT 



Con n ect L on : c L ose 

Cach e-con t ro L : n o-st ore F n o-cach e F must -reu a L L dat e 

Date: Tue F OS Jun 1993 06:55:45 GMT 

Con t en t -t y pe : t ew t ^h t n L 
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Case Study: Cisco Devices 




A comparison of the two banners finds the second banner 
to include the Last-modified line which does not appear 
when Www-authenticate appears: 



HTTP^1.0 401 Unauthorised 

Date: Tue, 01 Dec 2009 16:09:46 GMT 



Www-au t h en t I cat e : Bas I c rea L n=" L eye L_ 1 5 or u I ew_access" 



Connection: close 
Accept -ranges: none 
Server: clsco-IDS 



HTTP/1.0 £00 OK 

Transf er-encod Ing: chunked 

Accept -ranges: none 

Expires: Tue, 03 Jun 1993 06:55:45 GMT 

Seruer: clsco-IOS 



Last-nod If led: Tue P 03 Jun 1993 06:55:45 GMT 



Connection: close 

Cache-control: no-store, no-cache F nust-reual Idate 

Date: Tue F 03 Jun 1993 06:55:45 GMT 

Con tent -type: tewt/htn L 



In fact, among "cisco" results these two lines are more than 
99% mutually exclusive 
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Case Study: Cisco Results 




Search 


Results 


cisco 


251,742 


cisco-ios 


226,184 


cisco www-authenticate 


225,402 


cisco last-modified 


4,265 


cisco last-modified www-authenticate 


56 
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Case Study: Cisco Results 






This suggests that Cisco "200 OK" 
banners that include the Last-modified line 
do not require any authentication (at least 
not initially) 

The results on the previous slide suggest 
there are potentially 4,200+ Cisco devices 
that do not require authentication 



® CT-1 980020 Home Page - Mozilla Firefox 



l^^-^^-^rf 



i^DB 



File Edit View History Bookmarks Tools Help g gS 




T C X <±* (0 http://221.198.55.105/ 



ft 



W T Wikjpedia (en) 



> 5HODAN - Computer Search Engine 



!U 



CT-1980028 Home Page 



2 9 t 










Accessing Cisco 1812W "€1-1980028" 

Show diagnostic log - display the diagnostic log. 

Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 



'-'"'~^ ■J--?---? 1 J---?--?----?- -?-"?---?- ■? 



Show tech-support - display information commonly needed by tech support. 
Extended Ping - Send extended ping commands. 

QoS Device Manager - Configure and monitor QoS through the web interface. 

VPN Device Manager (VDM) - Configure and monitor Virtual Private Networks (VPNs) through th 




Surely these HTML links wi 

require some additional 

authentication... 



Help resources 



1. 
2. 
3. 
4. 



CCO atwww.cisco.com - Cisco Connection Online, including the Technical Assistance Center (TAC). 
tacf3icisco.com - e-mail the TAC. 



1-S00-553-I44 7 or +1-408-526- 7 209 - phone the TAC 

c s -html(Sjcis co.com - e-mail the HTML interface development group. 



Done 



Hg t£ 221.198.55.105 FoxyProxy: Disabled @ ^j Q> 3 



® CT- 1980020 /level/15/exec/-/c<>nfiguie/http - Mozilla Firefox 



l^^-^^-^rf 



i^DB 



File Edit View History Bookmarks Tools Help ^ G0 

T C X <±^ ( Q http://221 . 198.55. 105/level/15/exec/-/configure/http 



ft 



W T Wikjpedia (en) 



> 5HODAN - Computer Search Engine 



]d 



CT- 1 980028 /level/ 1 5/enec/-/co. . . 



2 '3 t 



ct-is 




Home 



Exec 



Configure 



Command 



Output 

Conmand base-URL was: /level / 15 /exec/ - 

Complete UKL was: /level/ 15 /exec /- /configure /http 

Conwnand was: configure http 



Configure commands: 
aaa 

Authentication, Authorization and Accounting, 
access-list 



Add an access list entry 



alias 



Create command alias 
appf tj 

Configure the Application Firewall policy 
appletalk 

Appletalk global configuration commands 
archive 



Archive the configuration 



arp 



Set a static ARP entry 
async-bootp 

Hodifv svstem toootD narameters 



Done 




Nope. No authentication 

required for Level 15! No 
authentication required for 

configure commands 



H t£ 221.198.55.105 FoxyProxy: Disabled @ ^ 0> 3 



® CT-1 980020 /level/1 5/exec/- - Mozilla Firefox 



l^^-^^-^rf 



i^DB 



File Edit View History Bookmarks Tools Help ^ ffffl 

4§^^ T C X <±* ( Q http://221 . 198.55. 105/level/15/exec7" 



ft 



W T Wikjpedia (en) 



2 3 t 



> 5HODAN - Computer Search Engine 



J J 



CT-1980028 /level/lS/ewec/- 



ct-is 




Home 



Exec 



Configure 



Command 



Output 

Cojimand base-URL was: /level/ 15 /exec/ 
Couplet e UKL was: /level/15/exec/- 



Exec commands: 
access-enable 

Create a temporary Access-List entry 
access-profile 

Apply user-profile to interface 
access- temp late 

Create a temporary Access-List entry 
archive 



auto 



tofe 



manage archive files 



Exec level Automation 



For manual emergency modes setting 
calendar 



Manage the hardware calendar 



cd 



Change current directory 



clear 



P^^^f fnnr-t H r-iT-i^ 




No authentication required 
for Level 15 exec commands 



Done 



HI f§/ 221.198.55.105 Foxy Proxy: Disabled @ ^j 0> 3 
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CT-1980028 



CT-1980028 



Home 



Exec 



Configure 



Home 



Exec 



Configure 



Command 



show running-config 






show cdp neighbors 


Command 





Output 



Coirmand base-URL was: /level/ 15 /exec /- 

Complete UKL was: /level/ 15 /exec /-/show/running-config/CR 

Coimiand was : show runnxng-conf ig 




Output 



Coimiand base-URL was: /level / 15 /exec/ - 

Couplet e UKL was: /level/ 15 /exec /-/show/cdp /neighbors /CR 

Conmand was: show cdp neighbors 



Building configuration. . . 

Current configuration : 8995 bytes 

i 

version 12 . 3 

service timestamps debug datetime msec 

service timestamps log datetime msec 

service password-encryption 
i 

hostname CT-1980028 

i 

boot-start-marker 

boot-end-marker 

i 

logging buffered 51200 warnings 



this | 


:o] 


~ 


"CN-CNC-VPNHUB- 1 " ; 


this | 


:i] 


= 


"10.97.248. 1"; 


this | 


\2] 


= 


"Cisco 3745"; 


this | 


:3] 


= 


"TunnelO"; 


this | 


:i] 


= 


"TunnelO"; 


this | 


:s] 


= 


"R S I "; 


this | 


:e] 


= 


"CN-CNC-VPNHUE -2 " ; 


this | 


:t] 


= 


"10. 65.8. 1"; 


this | 


:s] 


= 


"Cisco 3745"; 


this | 


:s] 


= 


"Tunnel 1"; 


this | 


:io] 




= "Tunnell"; 


this | 


:n] 




= "R S I "; 



command completed. 



no aaa new-model 



W Cisco IDS Series AP - Home - Mozilla Firefox 



I L / 



*M 



File Edit View History Bookmarks Tools Help ^j (*S 
T C X <±* ( http://200.160.10.S/ 



ft 



—. 



) 5HODAN - Computer Search Engine 



Cisco 105 Series AP - Home 



W T Wikjpedia (en) 



2 9 t 



Cisco Shuns 






home 



EXPRESS SET-UP 



EXPRESS SECURITY 



NETWORK MAP 



ASSOCIATION 



NETWORK 
INTERFACES 



SECURITY 



SERVICES 



WIRELESS SERVICES 



SYSTEM SOFTWARE 



EVENT LOO 



_ 



_ 



Cisco Aironet 350 Series Access Point 



Hostname ap-ronieiilaiHli-open 



Home: Summary Status 



Association 



Clients: 



NfrtwoiLHftiititv 



IP Address 



MAC Address 



Net iAi oi k Intel faces 



Interface 



it 



FastEthernet 



ff h RadioO-802.11B 



MAC Aihliess 



0040.9644.b73S 



0040.9645.ed11 



Event Loti 



Time 



Dec 7 20:33:53.710 



Dec 7 20:33:49.495 



Dec 7 20:33:40.030 



Severity 



Warning 



♦information 



♦information 



Repeaters: 



200.160.10.0 



0040.9644.b73S 



Transmission Rate 



100Mb/s 



11.0Mb/s 



Description 



2 1:57:35 Mon Dec 7 200fl 



Packet to client 0021 .c51 0.b576 reached max retries, removing the 
client 



Interface Dotl 1 RadioO, Deauthenticating Station 0023.6c83.3f41 
Reason: Sending station has left the BSS 



Interface Dot! 1 RadioO, Station 0021 .c51 0.b576 Associated 
KEY_MGMT[NONE] 



„ 



Done 



[H (§, 200.160.10.8 FoxyProxy: Disabled @ O *** 



If 



Cisco IDS Series AP - Express Set-Up - Mozilla Firefox 




i^^-^^-^rf 



&Jx\ 



File Edit View History Bookmarks Tools Help ^ ffffi 

fBk T C X A ( D http://200. 160. 10.8/ap_express-setup.shtml 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



]j 



Cisco 105 Series AP - Express Set... 



Cisco Shuns 






HOME 



EXPRESS SET-UP 



EXPRESS SECURITY 



NETWORK MAP 



ASSOCIATION 



NETWORK 
INTERFACES 



SECURITY 



SERVICES 



WIRELESS SERVICES 



SYSTEM SOFTWARE 



EVENT LOO 



_ 




Cisco Aironet 350 Series Access Point 



Hostname ap romeiikin<li-o|>eii 



2 1:58:30 Mon Dec 7 2009 



Exprea Set-Up 



Host Name: 
MAC Address: 



ap-rormeulandi-open 



0040.9644. b738 



Configuration Seiver Protocol: O DHCP Static IP 



IP Address: 



IP Subnet Mask: 



Default Gateway: 



200.160.10.8 



255.255.255.0 



200.160.10.1 



SNMP Community: 



registro 



Read-Only O Read-Write 



Radio0^02.IIB 



Role in Radio Network: 

Optimize Radio Network for: 
Aironet Extensions: 



Access Point O Repeater 

Throughput O Range O Custom 

Enable O Disable 



Done 



[H <£ 200.160.10.8 FoxyProxy: Disabled @ O *** 



If 



Cisco IOS Series AP - Express Security Set -Up - Mozilla Firefox 



i^^-^^-^rf 



i^DB 



File Edit View History Bookmarks Tools Help ^ G0 

T C X <±* ( Q http://200. 160. 10.S/ap_express-security .shtml 



^Y| - W T Wikjpedia (en) 



> SHODAN - Computer Search Engine 



] 'C\ 



Cisco 105 Series AP - Express Sec... 



2 9 t 



Cisco Shuns 





Cisco Aironet 350 Series Access Point 




HOME 



Hostname ap-romeuLinrii-open 



EXPRESS SET-UP 






EXPRESS SECURITY 



NETWORK MAP 






ASSOCIATION 



NETWORK 
INTERFACES 



SECURITY 



SERVICES 



WIRELESS SERVICES 



SYSTEM SOFTWARE 



EVENT LOO 



Exp res Security Set-Up 



SSID Configuration 



I. SSID 



D Broadcast SSID in Beacon 



2. VLAH 



No VLAN 



O Enable VLAN ID: 



(1-4094) □ Native VLAN 



3. Security 



No Security 
Static WEP Key 



Key1 [v] 



12Bbit[v] 



EAP Authentication 



RADIUS Server: 



RADIUS Server Secret: 



2 1:50:00 Moil Dec 7 2000 



(Hostname or IP Address) 



O WPA 



RADIUS Server: 



(Hostname or IP Address) 



Done 



[H {£, 200.160.10.8 FoxyProxy: Disabled @ w (J * 3t 



Cisco IOS Series AP - Network Interfaces - Mozilla Firefox 



i^^-^^-^rf 



!^)B 



File Edit View History Bookmarks Tools Help ^ G0 
M T C X <±* ( Q http://200.160.10.S/ap_network-iP.shtml 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



]j 



Cisco 105 Series AP - Network Int... 



| CT-1930023 /level/15/exec/-/show/cdp... 



T 



Cisco Shuns 






HOME 



EXPRESS SET-UP 



EXPRESS SECURITY 



NETWORK MAP 



ASSOCIATION 



NETWORK INTERFACES 



IP Address 



FastEthernet 



RadioO-802.11B 



SECURITY 



SERVICES 



WIRELESS SERVICES 



SYSTEM SOFTWARE 



EVENT LOO 



_ 



: 



Cisco Aironet 350 Series Access Point 




te m 



Hostname fip-romeukiikli-open 



Network Interfaces: Summary 



System Settings 



IP Address ( Static ) 



IP Subnet Mask 



Default Gateway 



MAC Address 



Interface Status 



Software Status 



Hardware Status 



Interface Resets 



Receive 



Input Rate Tirnespan 



Input Rate (bits/sec) 



Input Rate (packets/sec) 



Time Since Last Input 



Total Packets Input 



22:0 1:40 Men Dec 7 200fl 



200. 160. 10. S 



255.255.255.0 



200.160.10.1 



0040.9644.b738 



FastEthernet 



Enabledl 



Upft 







RadioO-S02.11B 



5 minute 



2000 



00:00:00 



54953045 



EnabledfF 



Upft 



5 minute 



1000 



04:27:34 



564S75S6 



„ 



Done 



[H ^ 200.160.10.8 FoxyProxy: Disabled @ O <>* 



If 



Cisco IDS Series AP - Security - Mozilla Firefox 




i^^-^^-^rf 



&Jx\ 



File Edit View History Bookmarks Tools Help ^ G0 

T C X <±^ ( Q http://200.160. 10 .S/ap_sec.shtml 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



J3 



Cisco IOS Series AP - Security 



| CT-1930023 /level/15/exec/-/show/cdp... 



T 



Cisco Ststems 






home 



EXPRESS SET-UP 



EXPRESS SECURITY 



NETWORK MAP 



ASSOCIATION 



NETWORK 
INTERFACES 



SECURITY 



Admin Access 



Encryption Manager 



SSID Manager 



Server Manager 



Local RADIUS Server 



Advanced Security 



SERVICES 



WIRELESS SERVICES 



SYSTEM SOFTWARE 



EVENT LOO 



: 



_ 



_ 



Cisco Aironet 350 Series Access Point 




te m 



Hostname ap-romeulandi-oiien 



22:Q1M Men Dec 7 200$ 





Security Summary 


Administrators 


Usemame 


Read-Only 


Re ad -Write 


admin 




^ 


Seivice Set Identifiei s (SSIDst 


SSID 


VLAN 


Radio 


BSSID Guest Mode 1 / 


Open 


Shared 


Network EAP 


CGIBR 




RadioO-802.11B 


0040.9645.ed11 S 


no addition 






Radio0-#02. 1 IB Eiici viflion Settiruis 


Encryption Mode 


WEP 


Cipher 


Key Rotation 


MIC 


PPK 


TKIP 


WEP40l>it 


WEPI28l>it 


CKIP 


CHIC 


None 


















Server-Based Security 


Seiver Name/IP Address 


Type 


EAP 


MAC 


Admin 


Accounting 
















Done 



[H {£ 200.160.10.8 FoxyProxy: Disabled @ O «** 



If 



Cisco IDS Series AP - Services - Mozilla Firefox 




!^)B 



File Edit View History Bookmarks Tools Help ^ G0 

T C X <±* ( Q http://200.160. 10 .S/ap_services.shtml 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



]j 



Cisco IOS Series AP - Services 



| CT-1930023 /level/15/exec/-/show/cdp... 



T 



Cisco Shuns 






HOME 



EXPRESS SET-UP 



EXPRESS SECURITY 



NETWORK MAP 



ASSOCIATION 



NETWORK 
INTERFACES 



SECURITY 



SERVICES 



Telnet/SSH 



Hot Standby 



CDP 



DNS 



Filters 



HTTP 



QoS 



STREAM 



SNMP 



SNTP 



VU\N 



ARP Caching 



WIRELESS SERVICES 



_ 



_ 



~ 



~ 






- 



. 



Cisco Aironet 350 Series Access Point 



Hostname ap-romeulaiKli-open 



SYSTEM SOFTWARE 



EVENT LOO 



22:02:37 Moil Dec 7 200fl 





Services Summary 


Telnet/SSH: Enabled/Enabled 


Hot Standby: Disabled 


CDP: Disabled 


DNS: Enabled 


Filters: Filter Defined 


HI IP: Enabled 


OoS: Disabled 


STREAM: Disabled 


SNMP: Enabled 


SNTP: Enabled 


VU\N: Disabled 


ARP Caching: Disabled 




H ($/ 200.160.10.8 FoxyProxy: Disabled ® D O V* 

^ 1 



Done 



► -M 



217.75.0.230 :: Cisco Device Manager - Mozilla Fiiefox 




i^^-^^-^rf 



^]S 



File Edit View History Bookmarks Tools Help ^ G0 
M T C X <±* ( g| http://217.75.0.230/xhorne.htrn 



ft 



W T Wikjpedia (en) 



2 9 t 



> 5HODAN - Computer Search Engine 



217.75.0.230 : Cisco Device Mana... 



Catalyst 2960 Series Device Manager - STCM-swl.cb3.bck 



tf^Refresh f-^Print "wU Smartports ^_g Software Upgrade [^Legend ^/Help 



Language: 



English v 

ii|)ii|it 
CISCO 



1 



Uptime: L year, 32 weeks,, 2 days, 19 hours, 28 minutes 



Next refresh in 55 seconds 



View 




Move the pointer over the ports for more information, 




Contents 



Dashboard 

► Configure 

► Monitor 

► Maintenance 
Network Assistant 



Dashboard 



Switch Information 


Host Name: 


STCM-swl.cb3.bck 


Product ID: 


WS-C29G0-24TT-L 


IP Address: 


217.75.0.230 


MAC Address: 


00:1E:BD:E8:13:80 


Version ID: 


V03 


Serial Number: 


FQC1149W02J 


Software: 


12.2(35)SE5 


Contact: 




Location: 





Switch Health 



Bandwidth Used 



View Trends 



0% 



Packet Error 



0% 



Fan 






OK 



Temp 



I 



OK 



Port Utilization 



View Trends i View Port Statistics 



o/a 



100- 
80- 
60- 

^:_ 

20_ 




1 2 3 4 5 6 7 S 9 10 11 12 13 14 15 IS 17 IS 19 20 21 22 23 24 1 2 



Done 



SP| ^ FoxyProxy: Disabled 




^9 
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217.75.0.230 :: Cisco Device Manager - Mozilla Fiiefox 




i^^-^^-^rf 



ff][x) 



File Edit View History Bookmarks Tools Help ^ G0 
M T C X <±* ( g| http://217.75.0.230/xhorne.htrn 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



217.75.0.230 : Cisco Device Mana... 



Catalyst 2960 Series Device Manager - STCM-swl.cb3.bck 



tf^Refresh f-^Print "wU Smartports ^_g Software Upgrade [^Legend ^/Help 



Language: 



English v 

ii|)ii|it 
CISCO 



1 



Uptime: L year, 32 weeks,, 2 days, 19 hours, 28 minutes 



Next refresh in 27 seconds 



View 



Contents 



Dashboard 
▼ Configure 

Smartports 
Port Settings 
Express Setup 

■ Restart/ Reset 

► Monitor 

► Maintenance 
Network Assistant 





Move the pointer over the ports for more information. 



Port Settings 




Submit 




Done 



m m 



FoxyProxy: Disabled 



Port ^ 


Description 


Enable 


Speed 


Duplex 


FaO/13 


|SWS Spam firewall 







Auto v 






Auto v 




V 


FaO/19 


|lomegaNAS 







Auto v 




Auto v 




Fa 0/20 


|Fix-IT DRAG port 







Auto v 






Auto v 




Fa 0/2 1 


|f"k-IT Webfarm 







Auto v 




Auto v 




Fa 0/2 2 


JLynxtec Hosted ser 







Auto v 






Auto v 




FaO/23 |ESP Server 







Auto v 




Auto v] 


Fa 0/24 


|SWS Spam firewall 





Auto v 






Auto v 




Gi0/1 


|Uplinkto SW12 





Auto v 

»- ■ 




Auto v 








& 



# ^9 Q> 3 



217.75.0.230 :: Cisco Device Manager - Mozilla Fiiefox 




i^^-^^-^rf 



ff][x) 



File Edit View History Bookmarks Tools Help ^ G0 
M T C X <±* ( g| http://217.75.0.230/xhorne.htrn 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



217.75.0.230 : Cisco Device Mana... 



Catalyst 2960 Series Device Manager - STCM-swl.cb3.bck 



tf^Refresh f-^Print "wU Smartports ^_g Software Upgrade [^Legend ^/Help 



Language: 



English v 

ii|)ii|it 
CISCO 



1 



Uptime: L year, 32 weeks,, 2 days, 19 hours, 28 minutes 



Next refresh in 5 seconds 



View 




Move the pointer over the ports for more information. 



Contents 



Dashboard 

Configure 
Smartports 

■ Port Settings 
Express Setup 
Restart/ Reset 

► Monitor 

► Maintenance 
Network Assistant 





Network Settings 



Management Interface (VLAN ID): 



IP Address: 



Default Gateway: 



Switch Password 



217 



76 



77 



107 






■ 


230 








??5 


■ 


1 



Subnet Mask: 



123.0.0.0 



Confirm Switch Password: 



Optional Settings 



Host Name: 



STCM-sw1.cb3.bck 



Telnet Access: 



Telnet Password: 



O Enable ©Disable 



Confirm Telnet Password: 



B 








Done 



GP 



FoxyProxy: Disabled 



a 



m v*9 ed> i* 



217.75.0.230 :: Cisco Device Manager - Mozilla Fiiefox 




i^^-^^-^rf 



^]S 



File Edit View History Bookmarks Tools Help ^ G0 
M T C X <±* ( g| http://217.75.0.230/xhorne.htrn 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



217.75.0.230 : Cisco Device Mana... 



Catalyst 2960 Series Device Manager - STCM-swl.cb3.bck 



tf^Refresh f-^Print "wU Smartports ^_g Software Upgrade [^Legend ^/Help 



Language: 



English v 

CISCO 



1 



Uptime: L year, 32 weeks,, 2 days, 19 hours, 29 minutes 



Next refresh in 37 seconds 



View 



Contents 



Dashboard 

▼ Configure 

Smartports 

■ Port Settings 
Express Setup 

■ Restart/ Reset 

▼ Monitor 

Trends 
l Port Status 

■ Port Statistics 
► Maintenance 

Network Assistant 








[lllkEiUU 

— SYST 

— STAT 

[ii.ifl:-: 


Status 


V 









Port Status 




Catalyst 2960 sews 



BEHHEBI EEIHEBE 



HHHHHH BBBBBB 



Move the pointer over the ports for more information. 



Port ^ Description Status VLAN Speed 


Duplex 


FaO/1 APC Managed PDU • 55 100 


full ± 


FaO/2 Erillo Connection 9 


1 100 


full 


FaO/3 Sanquay Temp Firew O 


55 




Fa 0/4 9 


171 100 


full 


FaO/5 Kirby - WF • 


104 10 


full = 


Fa 0/6 O 


1 




Fa0/7 O 


1 




Fa 0/8 O 


1 




FaO/9 O 


1 




Fa0/10 9 


1 




Fa 0/11 Sqnquay-CMR. O 


301 




Fa0/12 AcomGUY Hosted ser • 


55 100 


full 


Fa0/L3 O 


1 




Fa0/14 Jacc.IT - PWCC WF 9 


40 100 


full _ 


i-_ r, X* i- r*.._ J j-m^-t niAi^^ i a i i- A 


a r. h r.r. 


£. .11 



Done 
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FoxyProxy: Disabled 



vi 



W 9 Q> If 



<S Cisco SDM Express; 220. 231 . 1 01 . 1 30 



s 



Tasks 


^^^^^^^^^^^^^^^^^^^^^^H 


;^l Overview 


eP 


Basic Configurator! 


^ 


LAN 


£* 


Internet (WAN) 





Firewall 


m 


DHCP 


w* 


NAT 


■+■ 


Routing 


«* 


Security 


<p 


Reset to Factory Default 




Tools 



p Ping 
Telnet 
Cisco SDM 



^^. Software Update 



Help About Exit 



Cisco SDM Express 



Overview 



LAN 




Internet (WAN) 




FirewaJI 




Total Supported LAN: 
Configure*! LAN Interface: 



Total Supported WAN: 
Total WAN Connections: 



Fii e ttall: 



CISCO 




2 
2 








Not Supported 



Model Type: 
IOS Version: 



Cisco 1S41 
1 2.4(1 Sb) 



f 



\Qk Refresh 



<S Cisco SDM Express; 220. 231 . 1 01 . 1 30 



s 




Tasks 



,_"J^ Overview 

r^P Basic Configurator! 

^ LAN 

*>S Internet (WAN) 



Firewall 
Q| DHCP 

■fell NAT 

■+■ 
+ J* Routing 

^ Security 



Reset to Factory Default 




Tools 



p Ping 
Telnet 
Cisco SDM 



^^. Software Update 



Help About Exit 



Cisco SDM Express 



.i|n|i. 

CISCO 



Rflcir rnnfinnrfitinn 




The username and password are used to log into the router. 








| 


Delete 














Username 


Login Password 


Password is Encrypted 














Secret Password 




The enable secret password provides access to the routers 
Current Password: <none> 


command line. 


Enter New Password: 












Re-Enter New Password: 






















Hostname: 


DHYHPG 










Domain Name: 

























Model Type: 
IDS Vei sion: 



Cisco 1S41 
1 2.4(1 Sb) 



f 



fQk Refresh 



^ Apply Changes 



] fa 



Discard Changes 



<S Cisco SDM Express: 220.231.101.130 




Tasks 




,_"^ Overview 

(vP Basic Configurator! 



ife* LAN 




£? Internet (WAN) 



Firewall 
|jg DHCP 

■fejl NAT 

■+■ 
+ J* Routing 

^ Security 



Reset to Factory Default 




Tools 



p Ping 
Telnet 
Cisco SDM 
Software Update 



^ 



S 



Help About Exit 



Cisco SDM Express 



CISCO 



LAN 




IAN Interface Configuration 



You can edit the LJ\N address shown below. Use the new IP address to reconnect to your router 
from the browser. 



Interface: 



IP Address: 



Subnet Mask: 



FastEthernetO/1 



192.168.1.1 



255.255.255.0 



or Subnet Bits: 



24 



« 



Model Type: 
IDS Vei sion: 



Cisco 1S41 
1 2.4(1 Sb) 



f 



fQk Refresh 



\ * 



^ Apply Changes fj Discard Changes 



<S Cisco SDM Express: 220.231.101.130 




Tasks 



;^ Overview 
(vP Basic Configurator! 
^ LAN 



£? Internet (WAN) 





Firewall 
Ql DHCP 

■fejl NAT 

■+■ 
+ J* Routing 

^ Security 



Reset to Factory Default 




Tools 



p Ping 
Telnet 
Cisco SDM 



^^. Software Update 



s 



Help About Exit 



Cisco SDM Express 



CISCO 




Internet (WAN) 




Cisco SDM Express lets you configure one WAN connection. To configure a WAN connection, 
choose an interface.click Add Connection, and enterthe connection parameters. 



Interfile e List 



Interface 



FastEthernetO/0 



J^ Add Connection [Zf Edit Q Delete Q Disable 



IP 



220.231.101.130/30 



Type 



Status 



10/100Ethernet 



Model Type: 
IOS Vei sinn: 


Cisco 1S41 
1 2.4(1 Sb) 






f <@* Refresh 





<S Cisco SDM Express; 220. 231 . 1 01 . 1 30 



s 




Tasks 



,_"J^ Overview 

cP Basic Configurator! 



^ LAN 



£? Internet (WAN) 



Firewall 
[^ DHCP 
&?' NAT 



+:?* Routing 
6^ Security 




Reset to Factory Default 




Tools 



p Ping 
Telnet 
Cisco SDM 
Software Update 



^ 



Help About Exit 



Cisco SDM Express 



.i|n|i. 

CISCO 




Routing 




When a router has not learned a route to a destination network, it can use a configured 
default route. The default route specifies the next stop for traffic to unknown networks, called 
the next hop. You can specify" a router interface, or an IP address as the next hop. 



p' Enable default route 


Select a router interface orthe IP address of a remote host as the next hop. 


C Interface 


FastEthernetO/0 v 










P" IP Address 


220.231.101.129 











Model Type: 
IDS Vei sion: 



Cisco 1S41 
1 2.4(1 Sb) 



f 



fQk Refresh 



\ * 



^ Apply Changes fj Discard Changes 



<S Cisco SDM Express: 220.231.101.130 




Tasks 




,_"J^ Overview 

(vP Basic Configurator! 



*$* LAN 



£? Internet (WAN) 



Firewall 
QSl DHCP 

■fejl NAT 

■+■ 
+ J* Routing 



^ Security 




Reset to Factory Default 




Tools 



p Ping 
Telnet 
Cisco SDM 



^^. Software Update 



s 



Help About Exit 



Cisco SDM Express 



.i|n|i. 

CISCO 




Security 




Security Settings 



Select All (Recommended by Cisco) 



l~~ Disable seivites that involve security risks 

This disables active services such as Finger, PAD, CDP etc. which may make your 
router vulnerable to security attacks. 

I~~ Enable seivicesfor enhanced security on the router, net work 

This enables Logging and other services, which will enhance the security on the 
router. 

I" Encrypt passwords 

This encrypts all passwords on your router by enabling password encryption 
services. 



Router Clock Settings 



You can synchronize your routers date/time settings with the local PC clock. The router clock is used 
during negotiation of some of the security options. 

Synchronize with my local PC clock 



Model Type: 
IDS Vei sion: 



Cisco 1S41 
1 2.4(1 Sb) 



f 



fQk Refresh 



\ * 



^ Apply Changes fj Discard Changes 



J 





SHODAN for Penetration Testers 

CASE STUDY: DEFAULT 
PASSWORDS 



J 





Case Study: Default Passwords (1) 





The 'default password' search locates 
servers that have those words in the 
banner 

This doesn't suggest that these results wi 
be using the defaults, but since they're 
advertising the defaults they would 
potentially be the lowest hanging fruit 



J 





Case Study: Default Passwords (2) 



An example of a 'default password' result: 

HTTP/ 1.0 401 

Date: Sat, 21 Dec 1996 12:00:00 GMT 

Wuw-authent Lcate: BasLc reaLm="Def au Lt password: 1234" 

Seruer: PrLntSLr WEBPORT 1.1 

The server line indicates this is likely to be a 
print server; also note the "401" and Www- 
authenticate which indicates the likelihood of 
a username and password pop-up box 



J 





Case Study: Default Passwords (3) 



■This does not suggest that this device is 
using the default password, but it does 
mean that it is a possibility 

■While no username is listed, a null 
username or "admin" is always a good 
guess 

■And did it work? 



9 Mozilla Fnefox 



I L J" 



*}m 



File Edit View History Bookmarks Tools Help g G0 






C X LftJ (|_J http://220.130.40.S67 



> 5HODAN - Computer Search Engine 



+ +t ; Loading... 



■* - 



W T Wikjpedia (en) 



3 3 t 




uthentication Require 



e 



A username and password are being requested by http://220.130.40.36. The site says: "Default 
password: 1234" 



User Name: 



Password: 



1 0K 1 




Cancel 



w i G3> a 



Waiting for 220.130.40.36. 



H {£• 98 . 1 73 . 58 . 1 66 Foxy Proxy : Disabled 



a 



Edimax Print Server - Mozilla Firefox 



i^^-^^-^rf 



^1S 



File Edit View History Bookmarks Tools Help g gS 




C X ^ (D http://220.130.40.S6/ 



ft 



W T Wikjpedia (en) 



> SHODAN - Computer Search Engine 



| EdimaK Print Server 




Done 












!C!L|o a A*V^ + eF]®w + 



^m^^^^^^ ^^^^^^^^^^^^^^^^^^^m ^^^^ 




^nrilWU : 


PSCC739E 


Raw Printing : 


Enable 


ICILI^AW'IWL) : 


EPSON630 


IPP Printing : 


Enable 


yr^r, 1 : 


PS1206P 


LPR Printing : 


Enable 


TAe^fe : 


2.6.21 


AppleTalk Printing : 


Enable 


uwAe(MAC)|l§} : 


00:00:B4:CC:73:9E 


NetWare Printing : 


Enable 


USB Port Number: 


No 


SMB: 


Enable 


LPT Port Number: 


1 


SNMP: 


Enable 


uLYzui'To^A : 


No 


NetBEUI : 


Disable 



2 '3 t 




HI (£ 220.130.40.86 Foxy Proxy: Disabled fty § ^1 Q> 3 
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SHODAN for Penetration Testers 



CASE STUDY: 





SU to PWN 



an 



ISP 



Cisco Systems 



Accessing Cisco WS-C3750G-12S 



Telnet - to the router. 

Show interfaces - display the status of the interfaces. 

Show diagnostic log - display the diagnostic log. 

Monitor the router - HTML access to the command line interface at level = 1 = 2 = 3=4 = 5 = 6 = 7 = S = 9 = 10 = 1 1 = 12 = 13 = 14 = 15 

Connectivity test - ping the nameserver. 

Show tech- support - display information commonly needed by tech support. 
Extended Ping - Send extended ping commands. 

AYeb Console - Manage the Switch through the iveb interface. 



Help resources 

1. CCO at www. cisco. com - Cisco Connection Online, including the Technical Assistance Center (TAC). 

2. tacficisco.com - e-mail the TAC. 

3. 1-800-553-2447 or +1-408-526-7209 - phone the TAC. 

4. cs-html ficisco.com - e-mail the HTML interface development group. 



J 




Hoir.e 



Exec 



Configure 




Command 



Output 

Co-iaraand baae-URL waa : /level/1 5 /ejcec/- 

Complete URL waa : /level /IE/ exec/ -/aho-w/ip/r-oute/CR 

Do-iaraand waa : aho-w ip route 



Codes : 



C - 
D - 
Nl 
El 
i - 
ia 
o - 



connected, S - static, R - RIP, M - ir.ofcile, B - BGF 

EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 

- OSPF external type 1, E2 - OSPF external type 2 

IS-IS, su - IS-IS suirirary, LI - IS-IS level-1, L2 - IS-IS level-2 



- IS-IS inter area 



* _ 



candidate default, U - per-user static route 



ODR, F - periodic downloaded static route 



Gateway of last resort is 



to network 0.0.0.0 



D EX 



D 



D EX 



D EX 



D EX 



D EX 



is variably subnetted, 
[170/28416] via 

[170/28416] via 
[90/3072] via 
[90/3072] via 

[170/4226816] via 
[170/4226816] via 
[170/3115776] via 
[170/3115776] via 

[170/2178816] via 

[170/2178816] via 

[170/3072] via 
[170/3072] via 



10 subnets, 3 masks 

2w5d, Vlan401 
2w5d, Vlan400 
2w5d, Vlan401 
2w5d, Vlan400 

3w5d, Vlan401 
3w5d, Vlan400 

3w5d, Vlan401 
3w5d, Vlan400 

02:01:41, Vlan401 
02:01:41, Vlan400 

2w5d, Vlan401 
2w5d, Vlan401 
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Hoir.e 



Ixec 



Configure 




Command 



Output 

Command baae-URL waa : /level/15/&icec/- 

Coroplete URL was : /level /IE / exec/-/aho-w/ running- con Fig/DR 

Command waa : aho-w running- con Fig 



Building configuration. . . 

Current configuration : 10374 bytes 

i 

! Last configuration change at 06:40:37 EST Tue Apr 6 2010 by 

! NVRAM config last updated at 06:40:48 EST Tue Apr 6 2010 by 

i 

version 12.2 

no service pad 

service tiir.estairps debug datetiir.e msec 

service tiir.estairps log datetiir.e ir.sec 

no service password-encryption 
i 

hastnair.e 
i 

boot-start-ir.arker 
boot-end-ir.arker 



usernair.e 
usernair.e 
aaa new-ir.odel 



privilege 15 secret 5 
privilege 2 secret 5 



Hoir.e 



Hlxec 



Configure 



Command 




Output 

Command baae-URL waa : / level /15/exec/- 

CcKplete URL waa : / level /15/exec/-/ahow/cdp/neiynbo-ira/CR 

Command waa : aho-w cdp neighboir-a 



Capability Codes: R - Router, T - Trans Bridge , E - Source Route Bridge 

S - Switch, H - Host, I - IGMF, r - Repeater, P - Phone 



Device I L 


Local Intrfce 


Haldtir.e 


Cdpdtll 




Gig 1/0/11 


173 


RSI 




Gig 1/0/12 


143 


RSI 




Gig 1/0/2 


155 


S I 




Gig 1/0/10 


167 


S I 




Gig 1/0/9 


131 


RSI 



Capability Flatforir. Fort ID 



CISCO7606 Gig 1/6 

WS-C375QG Gig 1/0/12 
WS-C3750- Gig 1/0/1 
WS-C3560E Gig 0/25 

WS-C3750- Gig 1/0/1 



coirnr.and completed. 
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Case Study: ^oW to PW** 

■ Two Cisco 3750 flflfa 1 shtciu re switches 
with direct access to Cisco 7606 Router 

■ VLAN IDs for internal ISP network, hotels, 
condos, apartments, convention center, 
public backbone... 

■ SNMP server IP address and community 
strings 
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SHODAN for Penetration Testers 

OTHER EXAMPLES 
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Some general observations 




*lSHODAN 




Results I - 10 of a bout 3G2605 for "lie -5.0' 




Results 1 - 10 of about 381 for"iis.'3.0' 



Results 1 - 10 of about 42 for"iis.'2.0" 



Results I - 10 of about 150 for"iis 1.0 



Wireless Network Camera with Pan /Tilt - Mozilla Firefo: 



i^^-^^-^rf 



el)S 



File Edit View History Bookmarks Tools Help g gS 
T C X <±* (0 http://220.248.51.206/ 



ft 



W T Wikjpedia (en) 



2 9 t 



> SHODAN - Computer Search Engine 



]j 



Wireless Network Camera with P... 



Logitec 




Logitec Wireless Network Camera 



Done 



HI l& 220.243.51.206 Foxy Proxy: Disabled (ij O W 1 



► 3 



® http://220.240.51 .206/ - Mozilla Firefox 



l^^-^^-^rf 



el)S 



File Edit View History Bookmarks Tools Help g gS 
>» T C X <±* (S http://220.248.51.206/" 



ft 



W T Wikjpedia (en) 



> SHODAN - Computer Search Engine 



2 9 t 




Done 



HI £g 220.248.51.206 FoxyProxy: Disabled 



O v»i 



a 



® HSbsS - Mozilla Firefo: 



SEE 



File Edit View History Bookmarks Tools Help j£j OS 

# T C X <£} ( © http://220.248. 51. 206/setup/config. html 



ft 



W T Wikjpedia (en) 



aa - 



— 



) SHODAN - Computer Search Engine 



LogNec 



a 
a 
a 



Home 



g MILAN 

g SH'^jS'DNS 
g T5lz7UX\- 



a 






g Ey-JbtFTP 
IMtttdi 



a 
a 
a 
a 
a 






Version: 0100c 



>l/J^^U 



system.html 

security.html 

network.html 

wireless.html 

ddns.html 

accesslist.html 

audiovideo.html 

cameracontrol.html 

mailftp.html 

motion.html 

application.html 

syslog.html 

parafile.html 

maintain.html 



BSPJIU.JIE 



NTPtr-^': 



Network Camera 



lg, Chongging, Hong Kong, Kuala Lumpur, Singapore, Taipei J^] 



!/B] 



l/B] 



None 



illrflPB: 



lflfH v 



ffi^ 



H ^ 220.248.51.206 Foxy Proxy: Disabled (\) ^ Q^ a 



Done 
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SHODAN for Penetration Testers 

THE FUTURE 



J 




The Future 








API in the works for program integration 
Summary report for export option 
Software fingerprints 
Collection of HTTPS 
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SHODAN for Penetration Testers 

CONCLUSIONS 
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Conclusions 






SHODAN aggregates a significant amount 
of information that isn't already widely 
available in an easy to understand format 

Allows for passive vulnerability analysis 



Bottom line : SHODAN is a potential game- 
changer for pen testers that will help shape 

the path for future vulnerability assessments 
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SHODAN for Penetration Testers 
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